Thursday, November 29, 2007

Last week a whole group of formerly Russian malware infection websites migrated to a new home in Texas. The move seems to have been made on November 18th, when the virus sites that were formerly on the netblock with 81.95.146.236 moved wholesale to IP addresses in the netblock of 74.52.55.179.

Appropriate folks have all the details, but I wanted to talk today about the infection technique being used by one of the 46 domains, http://entireall.info/.

The way the PHP code on the website works, whatever you are sent on the command line becomes the name of an ".exe" file that is available for download.

So, if you have been sent a spam, or a messagebook-comment-spam to get the new version of Adobe Flash Version 11, then the site will obligingly give you a file called "Adobe_Flash_v11.exe"

As of this timestamp, the root directory of this site is advertising itself as an "Adobe_Flash_v11.exe" updater. VirusTotal.com indicates that only 21% of its 32 anti-virus checks detect this as a virus.

Which brings me to the real topic of today's blog: Constantly Repacked Malware

If you had a link though for "Gar_New_Virus", such as:

(badsite here)/search.php?qq=Gar_New_Virus

Then that would be the name of the file it would offer to download, sticking a ".exe" on the end of it for you.

This site functions in a similar way to other malware sites, typically related to pornographic movie spam, such as "ThisFreeMovies.com", which will send you to download "VideoAccessCodecInstall" because you are lacking the proper Windows Media Player Codec to view a movie. The malware site will obligingly announce that it is the update site for VideoAccessCodecInstall and have a file VideoAccessCodecInstall.exe for you to download.

This latter file is currently undetectable by 21 of the 32 anti-virus products at Virus-Total, including no detection from F-Prot, Kaspersky, McAfee, and Symantec.

Those that do detect it, place it in a family called "Zlob" or "Zlobar".

These sites have been live for several months. Why do the major anti-virus products not detect their malware? It has to do with the fact that they are constantly "re-packing" the offensive code so that traditional signature-based anti-virus products are constantly playing catch up.

On the older of the two malware samples I downloaded just now, the detections identify ZLob:

AntiVir = DR/Zlob.Gen

AVG = Downloader.Zlob

CAT-Quickheal = TrojanDownloader.Zlob.gen

ClamAV = Trojan.Dropper-2557

F-Secure = W32/Zlob.ARDM

Microsoft = TrojanDownloader:Win32/Zlob.AMM

Norman = W32/Zlob.ARDM

Rising = Trojan.DL.Win32.Zlob.def

Sophos = Troj/Zlobar-Fam

TheHacker = Trojan/Downloader.gen

Webwasher-Gateway = Trojan.Dropper.Zlob.Gen

The other 21 products detect nothing.

But look what happens on the nearly identical virus which was packed more recently!

AntiVir = TR/Crypt.XPACK.GEn

Authentium = could be infected with an unknown virus

AVG = Downloader.Zlob.NP

eSafe = suspicious Trojan/Worm

F-Prot = W32/Heuristic-119!Eldorado

NOD32v2 = probably unknown NewHeur_PE virus

Webwasher-Gateway = Trojan.Crypt.XPACK.Gen

The other 25 products detect nothing.

We need to develop new methods for anti-virus products to deal more appropriately with "repacked" malware. Congratulations to those that are using Heuristic detection, or marking the file as suspicious because of the strange packing, but we need to know that these things are bad and warn the users!

Tuesday, November 27, 2007

Senator Patrick Leahy introduced a much-needed Identity Theft bill in the Senate on October 30th. The bill, S.2168, cited as the "Identity Theft Enforcement and Restitution Act of 2007", passed by "Unanimous Consent" on November 15th, and we now anticipate rapid action from the House.

Key improvements from the bill include:

A change which removes the previous threshold of requiring $5,000 in damages to make identity theft or spyware a Federal Offense;

A change which makes the placing of spyware or keyloggers on more than 10 computers a FELONY offense;

A change to instruct Criminal Restitution to "pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense";

A change to ensure that Identity Theft resulting from theft of mail be considered under the guidelines for "Aggravated Identity Theft";

A change to the sentencing guidelines in Section 1030 Title 18 subsection (a)(5) "Malicious Spyware, Hacking, and Keyloggers", to increase first offense sentences to include a fine and prison terms up to five years. For a second offense under the same section, the prison term would be raised to up to ten years. Language was also added regarding "an attempt to commit an offense punishable under this subparagraph". ("Attempted hacking"?);

A change to Section 1030(a)(7) that would enhance and clarify the definition of Cyber Extortion;

A change allowing a much greater forfeiture of personal property gained as a result of finances obtained via identity theft;

The bill also directs the United States Sentencing Commission to consider 13 points as they seek to increase sentences for these types of offenses.

So what happens next?

Senator Leahy described the bill as being "requested by the Department of Justice", and "supported by a broad coalition of business, high-tech and consumer groups, including Microsoft, Consumers Union, the Cyber Security Industry Alliance, the Business Software Alliance, AARP, and the Chamber of Commerce." (A letter from the Chamber of Commerce was actually read into the Congressional Record in support of the Bill.)

In traditional law-making, bills are introduced in the House and passed to the Senate. This one appears to me to be reversing the process, which means it is now necessary for the House to accept this bill as one of their own. It is now a pressing matter that this bill be voted on by the House and get passed before we all go home for Christmas.

What can you do? Make sure that your Congressman knows about this important bill, and encourage them to get the vote scheduled and to vote in the affirmative for the bill.

Sunday, November 25, 2007

Today I'm preparing for a lecture tomorrow about Malware and Phishing Risks. When I speak on phishing, I frequently mention that the two reasons that people fall for phishing scams for two primary reasons: Fear, and Greed. They are made afraid that their account is about to be lost, or has already been abused by criminals, or they are enticed the promise of a financial reward for behaving in the way the phisher desires.

When we talk about Malware, we have to add another motivation to the risks: Lust.

This week, we have another round of malware which rides on the desire of email recipients to see Britney Spears naked. The first example is a fairly standard reminder that most anti-virus products do not detect most malware during the first few days of their attack.

In this example, email recipients are told that the attachment to the email contains a "New Britney naked video". What the attached zip file actually contains is a file called "brit.exe", which, of course, turns the infected machine into a bot. Does anti-virus detect it? 53% of AV engines detect it at this time:

The second set of spam uses an assortment of "Britney" subject lines, including:

Britney showed it again!

which connects to a variety of sites with several paths to infection.

Several of the sites linked to from the emails, including: velart.net, blurcolombia.com, agrisanterre.com, which had been modified to include an "iframe" which pulled additional code from "meoryprof.info".

The second one I looked at linked to the website of the "Associação Nacional de Pesquisa e Pós-Graduação em Psicologia". On that page, there is a crazy bit of encoded Javascript at the top. When it is decoded, one finds that it links to two sites:

(CAUTION: THESE ARE BAD SITES! DO NOT VISIT!)

http://ramoneymayker.info/

http://spl.vip-ddos.org/

Nope. Nothing suspicious about THOSE names. "VIP Distributed Denial of Service dot org?" I wonder what happens when that box infects a PC?

The owner of "vip-ddos.org" also owns "botnet.cc". Gee. He must have been counting on his encryption preventing us from seeing those names. (AGAIN, don't visit. Even going to the homepage loads malware from certain Malaysian computers.... VIP-DDOS is actually also the name of a popular Chinese attack tool.

So what does it take to become infected by a Drive By Downloader? The temporary temptation to click on a link in an email promising a new Britney picture.

Saturday, November 17, 2007

A disturbing new spam email was received thirty-four times this morning in my spam traps. The email has one of those social engineering bodies that I would imagine to be pure gold as far as its success rate convincing people to click on the attachment.

Here's the message:

I work in a private detective agency. My name is not important.I want to warn you that i'm going to monitor your phone line.Do you want to know who paid for shadowing you? Wait for my next letter.

P.S. I know, you don't believe me. But i think the record of youryesterday's telephone conversation will change your point. The tape isin archive. Archive password is 123qwe

The attachment is a ".rar" file, which is a compressed file format similar to a ".zip" file. The fact that many American computer users don't have software on their machines that knows how to open a RAR file may be the only thing that keeps some users safe!

When the file is extracted, it sits in the filelist with an icon which would make it seem to be an .MP3 File.

Although if you view it in a different manner, the fact that the file is a "Screen Saver" file.

The file name is actually:

"call1105.mp3 (many spaces here) .scr"

Of the thirty-four samples that I received at the beginning of the day:

Nine of them use the subject "attention".

Four use the subject "I'm watching you".

Six use the subject "We monitor your privacy".

Five use the subject "you are watched"

Four use the subject "Your phone is monitored"

Two use the subject "you're being monitored"

Two use "you are being monitored".

Two use "The tape of your conversation".

All have the password of "123qwe".

As of thirty minutes ago, there were twenty-one anti-virus companies that did NOT detect this as a virus in any way. Eleven companies, according to VirusTotal.com, mostly detected it as a generic "Dropper", though Symantec called it "Trojan.Peacomm.D", which is what it calls Storm Worm viruses.

F-Prot, F-Secure, Kaspersky, McAfee, Microsoft, Sophos, and others do not detect the virus at this time.

3G terminated their 26 year old employee John Schiefer last week as the facts began to emerge. According to a Press Release from the US Attorney's Office in the Central District of California, Schiefer "and several associates" developed malware which they used to build botnets of up to 250,000 computers, which were primarily used for stealing credentials from Paypal and other sites the owners visited.

The case has been called newsworthy because it is the first time that wiretap charges are being leveled at a botmaster.

Schiefer has agreed to plead guilty to:

1. Accessing protected computers to conduct fraud.

2. Disclosing illegally intercepted electronic communications.

3. Wire fraud.

4. Bank fraud.

Schiefer operated online with the handle "AcidStorm". I can't prove that the two are related, but an AcidStorm on one webserver that I visited posts advertisements for well known anti-spyware software, with a convenient link for downloading. The software is real, and the description he gives in the post is real, but why does he suggest you download the software from RapidShare rather than directing you to the real website?

It would be interesting if this was the SAME AcidStorm, because this AcidStorm has uploaded SEVERAL illegally shared (and possibly hacked) programs SINCE pleading guilty on November 9.

Pimp Daddy of Freebies, indeed! *THIS* Acidstorm is at best a software pirate. It will be interesting to see if he is also planting Trojans in his Warez.

Todd Moeller and Adam Vitale will join the short list of individuals who know what it feels like to be sentenced under the CAN-SPAM Act. The two were part of an online spam gang that called themselves the "g00dfellas", where Vitale went by the handle "Batch1" or "n1Hustler4Life", while Moeller called himself "Trill".

Before the period of time in question (April 2005 to August 2005) Moeller claimed to be in control of 35,000 spam-sending proxies, which he could use to hide the true origins of his email. He boasted that he could send millions of spam messages per hour. In the operation which ended in their arrest, for a $1,500 payment, and the promise of 50% of eventual sales of an imaginary anti-spyware software product, AOL intercepted 1,277,401 spam messages which had been sent from 73 unique IP addresses

conspir[ing] with VITALE to send spam e-mails to AOL subscribers, and sent spam e-mails to AOL subscribers using techniques to hide the spam e-mails’ true origin, including the use of computers to relay and retransmit the spam e-mails and altering the spam e-mails’ header information.

Although the DOJ Press Release of the guilty plea indicated that Moeller could have received 11 years sentence, he got off with the relatively light sentence of 27 months in prison. While boasting of his spamming to the potential customer, who turned out to be a Secret Service Confidential Informant, Moeller claimed he was earning $40,000 per month by sending spam that attempted to manipulate the values of certain stocks. In this case, Moeller agreed to spam the CI's product for a 50% take on the sales.

Forensic examination of the spam e-mails indicated that VITALE and MOELLER used twodifferent techniques to conceal from the recipients the source of the spam e-mails and allow VITALE and MOELLER to continue their illegal activity: (1) VITALE and MOELLER used computers connected to the Internet to relay or re-transmit the spam e-mails to make it look like the spam came from those computers, and not onesthat could be traced to VITALE and MOELLER; and (2) VITALE and MOELLER altered the header information in their spam e-mails to make it appear the spam e-mails came from a sender other than VITALE and MOELLER.

Thursday, November 01, 2007

Do you ever write something that you think is going to be ignored, like most of the things your write, and suddenly it takes on a life of its own?

At The University of Alabama at Birmingham (UAB), I am the Director of Research in Computer Forensics. What does that mean? It means that I work on three things:

Three Things

I train students who will have CyberCrime related jobs in the future, including Computer Forensics techs, CyberCrime Investigators, Special Agents, and Computer Scientists. Some of my current students are interning with the FBI, the US Secret Service, and the Jefferson County Sheriff just to name a few places.

I do research on CyberCrime related issues, including Phishing, Spam, and Malware. Besides writing about Ron Paul Spam, I've also written about many aspects of the Storm Worm, and have had my research presented at many law enforcement and computer security meetings. My students and I meet with people working in law enforcement and struggling with CyberCrime issues and work on better solutions to these problems. Several students have seen their research projects turned in to active law enforcement investigations.

I do public awareness and training for the public and current professionals. With October being Cyber Security Awareness Month, that was a pretty busy time for me, doing presentations on Spam, Phishing, Botnets, and participating in a Threat Assessment panel for the Congressional Internet Caucus".

Phishing

With regards to phishing, I'm a member of the CastleCops PIRT Squad where our all volunteer staff works to notify webmasters, banks, and law enforcement when someone has placed a phishing site on the Internet, and to provide them data to help them shut it down, and determine who did the attack. I'm also an active member of the Digital PhishNet where I serve on the Technology Committee, and the AntiPhishing Working Group where I co-chair the Working With Law Enforcement committee.

Spam

With regards to spam, I've presented twice at the FBI's "Slam Spam" conference, and have met with more than a hundred law enforcement professionals, security researchers, and lawyers regarding spam and related issues, including the folks who run the Federal Trade Commissions anti-spam lab, which is a fine place to report spam messages -- http://www.ftc.gov/spam/. As soon as UAB is prepared to receive your spam submissions, I'll certainly let you know here!

One of the main research projects we are working on in the Computer Forensics area is our Spam Data Mine for Law Enforcement Applications. We've had a paper accepted for presentation at the Association for Computational Machinery's Symposium on Applied Computing Conference in Brazil, and continue to develop our techniques. My co-authors and co-researchers have developed algorithms that "parse" the interesting parts of incoming spam email messages, and then attempt to "cluster" the messages into groups based on similarities between the parsed attributes. We have really big really fast computers to work on this project, and as our inbound spam volume increases, we have a great team of researchers in the department who specialize in "Grid Computing" who are looking forward to helping us shape our algorithms so they can take advantage of hundreds of processors to allow even more messages to be considered in our clustering and calculations.

In future phases of this research we look forward to having new spam campaigns automatically identified and browsable on a website dedicated to this project.

All of that to make clear to the many dozens of Ron Paul Supporters who have taken their valuable time to send me their thoughts, including a few profane ones, that I am not making this crap up.

How many people do I think were behind the Ron Paul spam? One. And not one that is officially recognized in any capacity by the Ron Paul campaign.

Let me make something very clear. I never said anything that was intended to imply Ron Paul does not have a lot of online support. Is it interesting that others have seen online regularities? Yes. But that doesn't mean that there not truly a large number of online supporters. In fact, I'll go a bit beyond that and give the Paul-ites some ammunition they can use.

One online research site measures vast amounts of Internet traffic, and then makes estimates of how many UNIQUE AMERICAN COMPUTERS visit a given website. Let's look at how some of the candidate websites stack up:

Just in time for the spookiest night of the year, the Storm botnet recruitment spam switched to a Halloween flavor.

On the evening of October 29th, the Storm worm continued to send spam messages about funny cats or krazy kats, but the websites began to change.

By October 30, many of the spam messages we received had also been modified to match the new theme. Subjects included:

Halloween FunTo much funWatch him danceYou have received an ecard

With bodies such as:

I know you will like this. Heck you might even pass it on. LOL

Just a little Halloween fun.

This thing is to fun. I sent it to everyone. I hope you don.t mind.

Someone has sent you a card to make you laugh. Come see it online!

The volume of Storm recruitment email we are receiving has dramatically reduced this month, though the botnet is still sending quite a bit of Pump and Dump spam. It seems that the Storm Botnet masters still keep track of the holidays. Fourth of July, Labor Day, First Day of NFL Season, and now Halloween.